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DESCRIPTION 

METHOD AND SYSTEM FOR DETECTING DEN I AL-OF- SERVICE ATTACK 

5 TECHNICAL FIELD 

[0001] The present invention relates to a method and a 

system for detecting a denial-of-service attack on a 
communication device using a monitoring device for 
monitoring a packet transmitted to the communication device 

10 that is a target of a denial-of-service attack, a 

performance measuring device for measuring performance of 
the communication device, and an attack determining device 
for performing communication with the monitoring device and 
the performance measuring device. More particularly, the 

15 present invention relates to a denial-of-service attack 

detecting system and a denial-of-service attack detecting 
method capable of detecting only a denial-of-service attack 
which needs to be dealt with by improving the precision of 
detection of denial-of-service attacks. 

20 

BACKGROUND ART 

[0002] There have been known attacks through networks 

such as denial-of-service attacks (including distributed 
denial-of-service attacks) paralyzing networks and server 

25 machines (hereinafter, "communication device") by sending 
great amounts of packets thereto. Because the denial-of- 
service attacks are difficult to be detected by a method 
focusing on feature amounts of packets, a system for 
detecting denial-of-service attacks by a method focusing on 

30 an abnormality of traffic (volume) is widely used. 

[0003] In the system for detecting denial-of-service 

attacks, steady traffic, obtained by measuring traffic to a 
communication device that is a target of an attack over a 
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predetermined period of time, is previously calculated by 
manually or automatically. If the traffic monitored 
deviates from the steady traffic, this is regarded as an 
attack, and the denial-of-service attack is detected in 
5 this manner (see, for example. Patent document 1). 

[0004] Patent document 1: Japanese Patent Application 
Laid-open No. 2003-283555. 

DISCLOSURE OF INVENTION 

10 PROBLEM TO BE SOLVED BY THE INVENTION 

[0005] However, there are many cases where the denial- 

of-service attack does not do any real damage to services 
provided by a communication device even if an abnormality 
seems to occur in traffic, because of a relationship 

15 between the scale of an attack and each throughput of a 

network and the communication device. In these cases, even 
if the denial-of-service attack detecting system detects 
the abnormality as an attack, there is no need to 
specifically deal with the abnormality. Thus, it looks as 

20 if there is no difference between this case and incorrect 
detection. 

[0006] If the main purpose of the denial-of-service 

attack detecting system is considered to protect 
communication devices from denial-of-service attacks, it is 

25 more important to quickly find out an abnormality of 

traffic which causes degradation of performance, than to 
improve the precision of determination on whether an 
abnormality of traffic is an attack. However, in the 
conventional denial-of-service attack detecting system, an 

30 attack is detected based on only a traffic abnormality 
without allowing for the throughput or the like of a 
communication device. Therefore, detection of a traffic 
abnormality which has nothing to do with degradation of 
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performance, that is, detection of cases which do not need 
to be dealt with (incorrect detection in the broad sense) 
increases . 

[0007] The present invention has been achieved to solve 
5 the problems due to conventional technology, and it is an 
object of the present invention is to provide a denial-of- 
service attack detecting system and a denial-of-service 
attack detecting method capable of detecting only a denial- 
of-service attack which needs to be dealt with by improving 
10 the precision of detection of denial-of-service attacks. 

MEANS FOR SOLVING PROBLEM 

[0008] To solve the above problems and to achieve the 
goal, a denial-of-service attack detecting system for 

15 detecting a denial-of-service attack on a communication 
device, according to one aspect of the present invention 
includes a monitoring device that monitors a packet 
transmitted to a communication device that is a target of 
the denial-of-service attack; a performance measuring 

20 device that measures performance of the communication 
device; and an attack determining device that performs 
communication with the monitoring device and the 
performance measuring device. The monitoring device 
includes a traffic abnormality detecting unit that detects 

25 traffic abnormality information indicating an abnormality 
of traffic due to the packet with respect to the 
communication device. The performance measuring device 
includes a performance abnormality detecting unit that 
detects performance abnormality information indicating an 

30 abnormality of throughput of the communication device. The 
attack determining device includes an effects determining 
unit that determines whether the communication device 
received the denial-of-service attack, based on the traffic 
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abnormality information and the performance abnormality 
information . 

[0009] According to the present invention, the 
monitoring device detects the traffic abnormality 
5 information indicating the abnormality of traffic due to 
the packets sent to the communication device, the 
performance measuring device detects the performance 
abnormality information indicating the abnormality of a 
throughput of the communication device, and the attack 

10 determining device determines whether each of the 

abnormalities indicates the denial-of -service attack, based 
on the traffic abnormality information and the performance 
abnormality information. Therefore, by using not only the 
traffic abnormality information but also the performance 

15 abnormality information, that is, by using a relationship 
between these two, it is determined whether each of the 
abnormalities indicates the denial— of -service attack, which 
enables to improve the detection precision of denial-of- 
service attacks. Thus, it is possible to detect only a 

20 denial-of-service attack which needs to be dealt with. 
[0010] with the denial-of-service attack detecting 

system according to the present invention, the monitoring 
device further includes a traffic-abnormality-information 
transmitting unit that transmits the traffic abnormality 

25 information to the attack determining device. 

[0011] According to the present invention, the 
monitoring device transmits the traffic abnormality 
information to the attack determining device. Therefore, 
the attack determining device efficiently acquires the 

30 traffic abnormality information without accessing the 
monitoring device to refer to the traffic abnormality 
information, which enables to improve the detection 
precision of denial-of-service attacks. Thus, it is 
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possible to detect only a denial-of-service attack which 
needs to be dealt with. 

[0012] With the denial-of-service attack detecting 
system according to the present invention, the performance 
5 measuring device further includes a performance- 
abnormality-information transmitting unit that transmits 
the performance abnormality information to the attack 
determining device . 

[0013] According to the present invention, the 

10 performance measuring device transmits the performance 

abnormality information to the attack determining device. 
Therefore, the attack determining device efficiently 
acquires the performance abnormality information without 
accessing the performance measuring device to refer to the 
15 performance abnormality information, which enables to 
improve the detection precision of denial-of-service 
attacks. Thus, it is possible to detect only a denial-of- 
service attack which needs to be dealt with. 
[0014] With the denial-of-service attack detecting 
20 system according to the present invention, the traffic 

abnormality detecting unit detects the traffic abnormality 
information based on a predetermined attack detection 
condition that is set in advance. 

[0015] According to the present invention, the traffic 

25 abnormality information is detected based on the 

predetermined attack detection condition which is preset. 
Therefore, the monitoring device can efficiently detect the 
traffic abnormality information and easily deal with a new 
attack, of which attack pattern is different from other 
30 attacks, by changing the attack detection condition. 

[0016] With the denial-of-service attack detecting . 
system according to the present invention, the traffic 
abnormality detecting unit generates a signature indicating 
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a feature of the packet attacking the communication device, 
based on the attack detection condition, and generates the 
traffic abnormality information including the signature. 
[0017] According to the present invention, the signature 
5 indicating the feature of each packet, which attacks the 
communication device, is generated based on the attack 
detection condition, and the traffic abnormality 
information including the signature is generated. 
Therefore, by generating the traffic abnormality 
10 information that reflects the features of the packets which 
attack, the reliability of the traffic abnormality 
information can be improved. 

[0018] With the denial-of-service attack detecting 
system according to the present invention, the traffic 
15 abnormality detecting unit detects the traffic abnormality 
information based on a steady traffic indicating an average 
traffic of the packet transmitted to the communication 
device . 

[0019] According to the present invention, the traffic 
20 abnormality information is detected based on the steady 

traffic indicating the average traffic of the packets sent 
to the communication device. Therefore, the traffic 
abnormality information can be easily generated based on 
how the traffic detected deviates from the steady traffic. 
25 [0020] With the denial-of-service attack detecting 

system according to the present invention, the performance 
abnormality detecting unit detects the performance 
abnormality information based on a predetermined 
performance abnormality detection condition that is set in 
30 advance. 

[0021] According to the present invention, the 
performance abnormality information is detected based on 
the predetermined performance abnormality detection 
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condition which is preset. Therefore, the performance 
measuring device can efficiently detect the performance 
abnormality information, and easily deal with a difference 
between performances of communication devices as targets to 
5 be detected and deal with a change of the performances, by 
changing the performance abnormality detection condition. 
[0045] Furthermore, according to the present invention, 

the performance abnormality detection condition includes 
the response time from transmission of a response request 

10 message to the communication device to reception of a 

response message to the response request message, and the 
number of times in which the response time exceeds the 
predetermined threshold. Therefore, the performance 
abnormality information can be easily generated based on 

15 the response time of the communication device. 

[0022] With the denial-of-service attack detecting 
system according to the present invention, the performance 
abnormality detection condition includes a response time . 
from transmission of a response request message to the 

20 communication device to reception of a response message 

corresponding to the response request message; and number 
of times that the response time exceeds a predetermined 
threshold . 

[0023] According to the present invention, the 

25 performance abnormality detection condition includes the 
response time from transmission of a response request 
message to the communication device to reception of a 
response message to the response request message, and the 
number of times in which the response time exceeds the 
30 predetermined threshold. Therefore, the performance 

abnormality information can be easily generated based on 

the response time of the communication device . 

[0024] With the denial-of-service attack detecting 



system according to the present invention, the performance 
abnormality detecting unit detects the performance 
abnormality information based on a steady performance 
indicating an average performance feature of the 
5 communication device . 

[0025] According to the present invention, the 
performance abnormality information is detected based on 
the steady performance indicating the average performance 
feature of the communication device. Therefore, the 
10 performance abnormality information can be easily generated 
based on how the performance detected deviates from the 
steady performance. 

[0026] With the denial-of-service attack detecting 
system according to the present invention, the effects 

15 determining unit determines that the communication device 
received the denial-of-service attaclc, when it is 
determined that one of the traffic abnormality information 
and the performance abnormality information causes an 
occurrence of other of the traffic abnormality information 

20 and the performance abnormality information based on an 
abnormality occurrence time included in the traffic 
abnormality information and the performance abnormality 
information . 

[0027] According to the present invention, when it is 

25 determined that either one abnormality information between 
the traffic abnormality information and the performance 
abnormality information causes occurrence of the other 
abnormality information, based on each time, at which each 
of the abnormalities has occurred, included in the traffic 
30 abnormality information and the performance abnormality 
information, this is determined as the denial-of-service 
attaclc. Therefore, by using not only the traffic 
abnormality information but also the performance 
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abnormality information, that is, by using a relationship 
between these two, it is determined whether the abnormality 
indicates the denial-of -service attack, which enables to 
improve the detection precision of denial-of-service 
5 attacks. Thus, it is possible to detect only a denial-of- 
service attack which needs to be dealt with. 
[0028] With the denial-of-service attack detecting 
system according to the present invention, when the effects 
determining unit determines that the communication device 
10 received the denial-of-service attack, the attack 

determining device transmits the traffic abnormality 
information and the performance abnormality information 
used for the determination to a device for reporting to an 
operator. 

15 [0029] According to the present invention, when the 

attack determining device determines that the abnormality 
indicates the denial-of-service attack, the attack 
determining device transmits the traffic abnormality 
information and the performance abnormality information 

20 used for the determination, to the device for reporting to 
the operator. Therefore, the operator can adequately deal 
with the abnormality based on these pieces of abnormality 
information. 

[0030] With the denial-of-service attack detecting 
25 system according to the present invention, the effects 
determining unit determines whether the communication 
device received the denial-of-service attack, after 
performing an authorization based on certificates included 
in the traffic abnormality information and the performance 
30 abnormality information. 

[0031] According to the present invention, authorization 
is performed based on the certificate included in the 
traffic abnormality information and the certificate 
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included in the pexformance abnormality information, and 
then it is determined whether the abnormality is the 
denial— of -service attack. Therefore, spoofing by any 
unauthorized device can be effectively prevented. 
5 [0032] A denial-of-service-attack detecting method 

according to another aspect of the present invention is for 
detecting a denial-of-service attack on a communication 
device by using a monitoring device that monitors a packet 
transmitted to a communication device that is a target of 

10 the denial-of-service attack, a performance measuring 
device that measures performance of the communication 
device, and an attack determining device that performs 
communication with the monitoring device and the 
performance measuring device. The denial-of-service-attack 

15 detecting method includes traffic abnormality detecting 
including the monitoring device detecting traffic 
abnormality information indicating an abnormality of 
traffic due to the packet with respect to the communication 
device; performance abnormality information detecting 

20 including the performance measuring device detecting 
performance abnormality information indicating an 
abnormality of throughput of the communication device; and 
effects determining including the attack determining device 
determining whether the communication device received the 

25 denial-of-service attack, based on the traffic abnormality 
information and the performance abnormality information. 
[0033] According to the present invention, the 
monitoring device detects the traffic abnormality 
information indicating the abnormality of traffic due to 

30 the packets sent to the communication device, the 

performance measuring device detects the performance 
abnormality information indicating the abnormality of a 
throughput of the communication device, and the attack 
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determining device determines whether each of the 
abnormalities indicates the denial-of -service attack, based 
on the traffic abnormality information and the performance 
abnormality information. Therefore, by using not only the 
5 traffic abnormality information but also the performance 
abnormality information, that is, by using a relationship 
between these two, it is determined whether each of the 
abnormalities indicates the denial-of-service attack, which 
enables to improve the detection precision of denial-of- 

10 service attacks. Thus, it is possible to detect only a 
denial~of-service attack which needs to be dealt with. 
[0034] The denial-of -service-attack detecting method 
according to the present invention further includes traffic 
abnormality information transmitting including the 

15 monitoring device transmitting the traffic abnormality 
information to the attack determining device. 
[0035] According to the present invention, the 
monitoring device transmits the traffic abnormality 
information to the attack determining device. Therefore, 

20 the attack determining device efficiently acquires the 
traffic abnormality information without accessing the 
monitoring device to refer to the traffic abnormality 
information, which enables to improve the detection 
precision of denial-of-service attacks. Thus, it is 

25 possible to detect only a denial-of-service attack which 
needs to be dealt with. 

[0036] The denial-of-service-attack detecting method 
according to the present invention further includes 
performance abnormality information transmitting including 
30 the performance measuring device transmitting the 
performance abnormality information to the attack 
determining device . 

[0037] According to the present invention, the 
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performance measuring device transmits the performance 
abnormality information to the attack determining device. 
Therefore, the attack determining device efficiently 
acquires the performance abnormality information without 
5 accessing the performance measuring device to refer to the 
performance abnormality information, which enables to 
improve the detection precision of denial-of-service 
attacks. Thus, it is possible to detect only a denial-of- 
service attack which needs to be dealt with. 

10 

EFFECT OF THE INVENTION 

[0038] According to the present invention, the 

monitoring device detects the traffic abnormality 
information indicating the abnormality of traffic due to 

15 the packets sent to the communication device, the 

performance measuring device detects the performance 
abnormality information indicating the abnormality of a 
throughput of the communication device, and the attack 
determining device determines whether each of the 

20 abnormalities indicates the denial-of-service attack, based 
on the traffic abnormality information and the performance 
abnormality information. Therefore, by using not only the 
traffic abnormality information but also the performance 
abnormality information, that is, by using a relationship 

25 between these two, it is determined whether each of the 

abnormalities indicates the denial-of-service attack, which 
enables to improve the detection precision of denial-of- 
service attacks. Thus, it is possible to detect only a 
denial-of-service attack which needs to be dealt with. 

30 [0039] Furthermore, according to the present invention, 
the monitoring device transmits the traffic abnormality 
information to the attack determining device. Therefore, 
the attack determining device efficiently acquires the 
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traffic abnormality information without accessing the 
monitoring device to refer to the traffic abnormality 
information, which enables to improve the detection 
precision of denial-of-service attacks.. Thus, it is 
5 possible to detect only a denial-of-service attack which 
needs to be dealt with. 

[0040] Moreover, according to the present invention, the 
performance measuring device transmits the performance 
abnormality information to the attack determining device. 

10 Therefore, the attack determining device efficiently 

acquires the performance abnormality information without 
accessing the performance measuring device to refer to the 
performance abnormality information, which enables to 
improve the detection precision of denial-of-service 

15 attacks. Thus, it is possible to detect only a denial-of- 
service attack which needs to be dealt with. 
[0041] Furthermore, according to the present invention, 
the traffic abnormality information is detected based on 
the predetermined attack detection condition which is 

20 preset. Therefore, the monitoring device can efficiently 
detect the traffic abnormality information and easily deal 
with a new attack, of which attack pattern is different 
from other attacks , by changing the attack detection 
condition . 

25 [0042] Moreover, according to the present invention, the 

signature indicating the feature of each packet, which 
attacks the communication device, is generated based on the 
attack detection condition, and the traffic abnormality 
information including the signature is generated, 

30 Therefore, by generating the traffic abnormality 

information that reflects the features of the packets which 
attack, the reliability of the traffic abnormality 
information can be improved. 
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[0043] Furthermore, according to the present invention, 
the traffic abnormality information is detected based on 
the steady traffic indicating the average traffic of the 
packets sent to the communication device. Therefore, the 
5 traffic abnormality information can be easily generated 

based on how the traffic detected deviates from the steady 
traffic . 

[0044] Moreover, according to the present invention, the 

performance abnormality information is detected based on 

10 the predetermined performance abnormality detection 

condition which is preset. Therefore, the performance 
measuring device can efficiently detect the performance 
abnormality information, and easily deal with a difference 
between performances of communication devices as targets to 

15 be detected and deal with a change of the performances, by 
changing the performance abnormality detection condition. 
[0045] Furthermore, according to the present invention, 
the performance abnormality detection condition includes 
the response time from transmission of a response request 

20 message to the communication device to reception of a 

response message to the response request message, and the 
number of times in which the response time exceeds the 
predetermined threshold. Therefore, the performance 
abnormality information can be easily generated based on 

25 the response time of the communication device. 

[0046] Moreover, according to the present invention, the 
performance abnormality information is detected based on 
the steady performance indicating the average performance 
feature of the communication device. Therefore, the 

30 performance abnormality information can be easily generated 
based on how the performance detected deviates from the 
steady performance . 

[0047] Furthermore, according to the present invention. 
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when it is determined that either one abnormality 
information between the traffic abnormality information and 
the performance abnormality information causes occurrence 
of the other abnormality information, based on each time, 
5 at which each of the abnormalities has occurred, included 
in the traffic abnormality information and the performance 
abnormality information, this is determined as the denial- 
of-service attack. Therefore, by using not only the 
traffic abnormality information but also the performance 

10 abnormality information, that is, by using a relationship 

between these two, it is determined whether the abnormality 
indicates the denial-of-service attack, which enables to 
improve the detection precision of denial-of-service 
attacks. Thus, it is possible to detect only a denial-of- 

15 service attack which needs to be dealt with. 

[0048] Moreover, according to the present invention, 

when the attack determining device determines that the 
abnormality indicates the denial-of-service attack, the 
attack determining device transmits the traffic abnormality 

2 0 information and the performance abnormality information 

used for the determination, to the device for reporting to 
the operator. Therefore, the operator can adequately deal 
with the abnormality based on these pieces of abnormality 
information . 

25 [0049] Furthermore, according to the present invention, 

authorization is performed based on the certificate 
included in the traffic abnormality information and the 
certificate included in the performance abnormality 
information, and then it is determined whether the 

30 abnormality is the denial-of-service attack. Therefore, 
spoofing by any unauthorized device can be effectively 
prevented. 
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BRIEF DESCRIPTION OF DRAWINGS 
[0050] 

Fig. 1 is a block diagram of the configuration of a 
denial-of-service attack detecting system according to an 
5 embodiment of the present inventions- 
Fig. 2 is a block diagram of the configuration of a 
monitoring device shown in Fig. 1; 

Fig. 3 is a diagram of one example of attack detection 
conditions ; 

10 Fig. 4 is a block diagram of the configuration of a 

performance measuring device shown in Fig. 1; 

Fig. 5 is a diagram of one example of performance 
abnormality detection conditions; 

Fig. 6 is a block diagram of the configuration of an 
15 attack determining device shown in Fig. 1; 

Fig. 7 is a flowchart of the operation of the 
monitoring device shown in Fig. 2; 

Fig. 8 is a flowchart of the operation of the 
performance measuring device shown in Fig. 4; and 
20 Fig. 9 is a flowchart of the operation of the attack 

determining device shown in Fig. 6. 

EXPLANATIONS OF LETTERS OR NUMERALS 
[0051] 

25 1 Denial-of-service attack detecting system 

2 LAN 

3 Communication device 

4 WAN 

5 Monitoring device 
30 6, 9 Communication line 

7 Performance measuring device 

8 Attack determining device 

10 Traffic abnormality detector 
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11 Traffic abnormality information transmitter 

12 Signature generator 

13, 14, 18, 19, 22 Communication interface 

15 Switch 

16 Performance abnormality detector 

17 Performance abnormality information transmitter 

20 Effects determining unit 

21 Alert transmitter 



10 BEST MODE(S) FOR CARRYING OUT THE INVENTION 

[0053] Exemplary embodiments of a method and a system 
for detecting a denial-of-service attack according to the 
present invention will be explained in detail below with 
reference to the accompanying drawings . 

15 Embodiments 

[0053] Fig. 1 is a block diagram of the configuration of 
a denial-of-service attack detecting system 1 according to 
an embodiment of the present invention. The denial-of- 
service attack detecting system 1 shown in Fig. 1 is a 

2 0 system that detects a denial-of-service attack on a 

communication device 3 using a monitoring device 5 , a 
performance measuring device 7, and an attack determining 
device 8. More specifically, if the monitoring device 5 on 
a local area network (LAN) 2 detects a traffic abnormality 

25 caused by packets sent to the communication device 3 (step 
(1) of Fig. 1) , the monitoring device 5 transmits traffic 
abnormality information indicating the content of the 
traffic abnormality to the attack determining device 8 
(step (2) of Fig. 1) . 

30 [0054] If the performance measuring device 7 on a wide 
area, network (WAN) 4 detects a performance abnormality of 
the communication device 3 (step (3) of Fig. 1) , the 
performance measuring device 7 transmits performance 
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abnormality information indicating the content of the 
performance abnormality to the attack determining device 8 
(step (4) of Fig. 1) . When receiving the traffic 
abnormality information and the performance abnormality 
5 information, the attack determining device 8 on the LAN 2 
determines whether each of the abnormalities indicates the 
denial-of-service attack on the communication device 3 
based on these pieces of abnormality information (step (5) 
of Fig. 1) . 

10 [0055] Conventionally, when a denial-of-service attack 

on the communication device 3 as a target of an attack is 
detected, a system detects a denial-of-service attack in 
such a manner that the system previously calculates steady 
traffic by measuring traffic to the communication device 3, 

15 being a target of an attack, over a predetermined period of 
time, and determines such a case that the traffic monitored 
deviates from the steady traffic, as an attack. However, 
even if an abnormality seems to occur in traffic, there are 
many cases where no real damage is done to services 

20 provided by the communication device 3, because of a 
relationship between the scale of a denial-of-service 
attack and each throughput of the network and the 
communication device. Therefore, even if the abnormality 
is detected as a denial-of-service attack, there is often 

25 no need to actually deal with the abnormality. Thus, it 
looks as if there is no difference between this case and 
incorrect detection . 

[0056] According to the present embodiment, the 
monitoring device 5 detects a traffic abnormality, and the 
30 performance measuring device 7 detects a performance 

abnormality of the communication device 3. Furthermore, 
the attack determining device 8 determines whether the 
abnormality indicates an attack, based on the traffic 
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abnormality and the performance abnormality. Therefore, 
according to the present embodiment, the determination on 
an attack can be performed based on not only the traffic 
abnormality but also the performance abnormality of the 
5 communication device 3, which enables to improve the 

detection precision of denial-of -service attacks, thus, 
efficiently detecting only a denial-of-service attack which 
needs to be dealt with. 

[0057] It is noted that Fig. 1 shows the case where the 

10 monitoring device 5 and the attack determining device 8 are 
connected to the same LAN 2 to which the communication 
device 3 is connected and the performance measuring device 
7 is connected to the WAN 4, but there is no limitation in 
the lines to which the devices (the monitoring device 5, 

15 the performance measuring device 7, and the attack 
determining device 8) are connected respectively . 
[0058] The system configuration of the denial-of-service 

attack detecting system 1 is explained below. As shown in 
Fig. 1, the denial-of-service attack detecting system 1 

20 includes the monitoring device 5 that is provided on the 
LAN 2 in a small-and-medium company and monitors packets 
transmitted to at least one communication device 3 which is 
connected to the LAN 2, through the WAN 4 such as a 
backbone network; the performance measuring device 7 that 

25 is provided on the WAN 4 and measures performance of the 
communication device 3 through the WAN 4 ; and the attack 
determining device 8 that is provided on the LAN 2 and is 
connected to the monitoring device 5 and the performance 
measuring device 7 through a communication line 9. However, 

30 the configuration of the denial-of-service attack detecting 
system 1 shown in Fig. 1 is only one example, and the 
denial-of-service attack detecting system according to the 
present invention may also include a plurality of 
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performance measuring devices 7, or may be configured to 
use Web (World Wide Web) site performance measurement 
services provided by some other party, instead of part of 
or the whole of the performance measuring devices 6 . 
5 [0059] The monitoring device 5 is formed with a router 
that constitutes the LAN 2. The monitoring device 5 may 
also be formed with a firewall, etc. provided on the LAN 2. 
[0060] Fig. 2 is a block diagram of the configuration of 

the monitoring device 5 shown in Fig. 1. The monitoring 

10 device 5 includes a traffic abnormality detector 10 that 

detects a traffic abnormality due to packets transmitted to 
the communication device 3; a traffic abnormality 
information transmitter 11 that transmits information for 
the traffic abnormality detected to the attack determining 

15 device 8; a signature generator 12 that generates a 

signature indicating a feature of a packet which attacks 
the communication device 3; communication interfaces 13 and 
14 for performing communication with each of the devices, 
including the attack determining device 8 , provided on the 

20 WAN 4 and the LAN 2, respectively; and a switch 15 for 
routing a packet. 

[0061] The traffic abnormality detector 10 is a 

processor that detects an attack based on preset attack 
detection conditions. Fig. 3 is a diagram of one example 

25 of attack detection conditions. In Fig. 3, the attack 

detection conditions include two sets of records, a set of 
detection attributes and a set of a detection threshold and 
a detection time. The detection attribute indicates an 
attribute of a packet as a target for detection, the 

30 detection threshold indicates a threshold of a transmission 
rate of a packet as a target for detection, and the 
detection time indicates a threshold of a time during which 
the transmission rate of a packet as a target for detection 
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exceeds the detection threshold. 

[0062] For example, a first detection condition is 
applied to a packet as a target for detection, in which 
destination address information is 192,168.1.1 
5 (Dst=192 . 168 . 1 . 1/32) , a protocol of a transport layer is a 
transmission control protocol (TCP) (Protocol=TCP) , and a 
TCP port number is 80 (Port=80) . If a state such that the 
transmission rate of the packets as targets for detection 
exceeds 300 kbps continues 10 seconds or more, this state 
10 is detected as a traffic abnormality due to the packets as 
targets for detection. 

[0063] Likewise, a second detection condition is applied 
to a packet as a target for detection, in which destination 
address information is 192.168.1.2 (Dst=192 . 168 . 1 . 2/32 ) . 

15 If a state such that the transmission rate of the packets 
as targets for detection exceeds 100 kbps continues 10 
seconds or more, this state is detected as a traffic 
abnormality due to the packets as targets for detection. 
[0064] When the traffic abnormality detector 10 detects 

20 the attack by the packets as targets for detection in the 
above manner, the signature generator 12 generates a 
signature indicating the feature of each packet as a target 
for detection. For example, if the attack that matches the 
first detection condition of the attack detection 

25 conditions of Fig. 3 is detected, then the signature 

generator 12 generates a signature indicating a packet in 
which the destination address information is 192.168.1.1, 
the protocol of the transport layer is TCP, and the TCP 
port number is 80. 

30 [0065] The method mentioned above is a method of 

previously setting conditions for making determination on 
the case as an attack. However, another method may also be 
used, the another method including measuring average 
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traffic, previously storing the average traffic as steady 
traffic, and determining the case where traffic deviates 
from the steady traffic, as an attack. 

[0066] The traffic abnormality information transmitter 
5 11 is a processor that transmits traffic abnormality 

information, which includes the signature generated by the 
signature generator 12 and indicates that a traffic 
abnormality is detected, to the attack determining device 8. 
The traffic abnormality information transmitter 11 also 

10 transmits thereto a certificate, indicating that the own 
device is the authorized monitoring device 5, included in 
the traffic abnormality information. By including the 
certificate in the traffic abnormality information in this 
manner, spoofing by any unauthorized device can be 

15 prevented. 

[0067] The traffic abnormality information transmitter 

11 may also transmit the traffic abnormality information 
through a path different from a transmission line 6 through 
which packets are transmitted or received. According to 

20 the present embodiment, the traffic abnormality information 
is transmitted to the attack determining device 8 , but the 
attack determining device 8 may also refer to the traffic 
abnormality information in the monitoring device 5. 
[0068] The performance measuring device 7 shown in Fig. 

25 1 is formed with a computer that executes a program of 
measuring a response time to an Internet site, 
[0069] Fig. 4 is a block diagram of the configuration of 

the performance measuring device 7 shown in Fig. 1. The 
performance measuring device 7 includes a performance 

30 abnormality detector 16 that detects a performance 
abnormality based on preset performance abnormality 
detection conditions; a performance abnormality information 
transmitter 17 that transmits information for the 
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performance abnormality detected to the attack determining 
device 8; and communication interfaces 18 and 19 for 
performing communication with the attack determining device 
8 and for performing communication with each device to 
5 measure its performance, respectively. 

[0070] Fig. 5 is a diagram of one example of performance 

abnormality detection conditions. In Fig. 5, the 
performance abnormality detection conditions include two 
sets of records, a set of performance attributes and a set 

10 of a detection threshold and the number of times of 

detection. The performance attribute indicates a procedure 
of measuring performance, the detection threshold indicates 
a threshold of the response time from the communication 
device 3, and the number of times of detection indicates 

15 times of measurement and times, in which the response time 
exceeds the threshold of the response time, of the times of 
measurement . 

[0071] For example, a first performance abnormality 
detection condition is measurement of a response time from 

20 access to www.abc.com by a hypertext transfer protocol 

(HTTP) to returning of a character string of "hello". If 
there are two or more times, in which the response time is 
five seconds or more, out of three times of measurement, 
then this is detected as a performance abnormality of the 

25 communication device 3. 

[0 072] Likewise, a second performance abnormality 
detection condition is detection of a case, as a 
performance abnormality of the communication device 3, 
where there is even one response time which is five seconds 

30 or more, the response time being from access to www.def.com 
by HTTP: parameter "search?hl=ja&ie=UTF-8&q=x+Y&lr=" to 
returning of a character string of "search result". 
[00 73] When the performance abnormality detector 16 
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detects the performance abnormality of the communication 
device 3 in the above manner, the performance abnormality 
information transmitter 17 transmits performance 
abnormality information indicating detection of the 
5 performance abnormality, to the attack determining device 8. 
The performance abnormality information transmitter 17 also 
transmits thereto a certificate, indicating that the own 
device is the authorized performance measuring device 7, 
included in the performance abnormality information. By 

10 including the certificate in the performance abnormality 
information in this manner, spoofing by any unauthorized 
device can be prevented. According to the present 
embodiment, the performance abnormality information is 
transmitted to the attack determining device 8, but the 

15 attack determining device 8 may also refer to the 

performance abnormality information in the performance 
measuring device 7 . 

[0074] The method mentioned above is a method of 

previously setting conditions to detect the performance 

20 abnormality, but another method may also be used, the 

another method including measuring an average performance 
feature, previously storing it as steady performance, and 
detecting a performance abnormality when the performance 
deviates from the steady performance, 

25 [0075] Fig. 6 is a block diagram of the configuration of 

the attack determining device 8 shown in Fig. 1. The 
attack determining device 8 includes an effects determining 
unit 20 that determines whether the abnormality of traffic 
detected causes the performance abnormality detected, based 

30 on the traffic abnormality information sent from the 
monitoring device 5 and the performance abnormality 
information sent from the performance measuring device 7; 
an alert transmitter 21 that reports the result of 
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determination to an operator and the like; and a 
communication interface 22 for performing communication 
with each of the monitoring device 5, the performance 
measuring device 1 , and the device for reporting to the 
5 operator. 

[0076] For example, the host address of www.abc.com is 

192.168.1.1. Assume that the attack determining device 8 
receives, at time t, the traffic abnormality information 
indicating the abnormality of traffic in which the TCP port 

10 number for 192.168.1.1 is 80, and then, receives, at a 

point in time t+a, the performance abnormality information 
indicating that an abnormality occurs in the response time 
of the communication device 3 with www. abc.com. Under such 
situations, if both times when the abnormalities related to 

15 the traffic and performance abnormality information occur 
are close to each other (e.g., a is within 1 minute), the 
attack determining device 8 determines that there is a high 
probability that the traffic abnormality may cause response 
degradation of www.abc.com, reports this effect to the 

20 operator through the alert transmitter 21, and prompts the 
operator to deal with this case. 

[0077] When the effects determining unit 20 determines, 

in the above manner, the case as the denial-of-service 
attack, the alert transmitter 21 transmits the traffic 

25 abnormality information and the performance abnormality 
information used for the determination to the device for 
reporting to the operator. According to the present 
embodiment, the traffic abnormality information and the 
performance abnormality information are transmitted to the 

30 device for reporting to the operator, but the attack 

determining device 8 may also be provided with a display 
unit, to report these pieces of abnormality information to 
the operator using the display unit. 
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[0078] The effects determining unit 20 may perform 
authorization based on the certificate included in the 
traffic abnormality information sent from the monitoring 
device 5 and the certificate included in the performance 
5 abnormality information sent from the performance measuring 
device 7 , and then determine whether the case is the 
denial-of-service attack. This allows removal of the 
effects due to forged traffic abnormality information and 
performance abnormality information . 

10 [0079] The operations of the denial-of-service attaclc 

detecting system 1 configured in the above manner are 
explained below with reference to Fig. 7 through Fig. 9. 
Fig. 7 is a flowchart of the operation of the monitoring 
device 5 shown in Fig. 2. 

15 [0080] When the traffic abnormality detector 10 detects 
an attack by packets transmitted to the communication 
device 3 based on the attack detection conditions (step SI) , 
the signature generator 12 generates a signature indicating 
the feature of each of the packets by which attack is 

20 detected (step S2) , and the traffic abnormality information 
transmitter 11 transmits traffic abnormality information 
including the signature generated to the attack determining 
device 8 (step S3) . 

[0081] Fig. 8 is a flowchart of the operation of the 

25 performance measuring device 7 shown in Fig. 4. At first, 
when the performance abnormality detector 16 detects an 
abnormality of the response time of the communication 
device 3 based on the performance abnormality detection 
conditions (step Sll) , the performance abnormality detector 
30 16 generates performance abnormality information including 
the information detected (step S12) , and the performance 
abnormality information transmitter 17 transmits the 
performance abnormality information generated to the attack 
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determining device 8 (step S13) . 

[0082] Fig. 9 is a flowchart of the operation of the 
attack determining device 8 shown in Fig. 6. When the 
traffic abnormality information is received from the 
5 monitoring device 5 (step S21) , the attack determining 

device 8 searches for any performance abnormality which the 
traffic abnormality information received may cause, from 
the pieces of performance abnormality information received 
until then (step S22) . When it is found, the attack 
10 determining device 8 transmits the relevant traffic 
abnormality information and performance abnormality 
information to the device for reporting to the operator 
(step S23) . 

[0083] When the performance abnormality information is 

15 received from the performance measuring device 7 (step S24) , 
the attack determining device 8 searches for any traffic 
abnormality which the performance abnormality information 
received may cause, from the pieces of traffic abnormality 
information received until then (step S25) . When it is 
20 found, the attack determining device 8 transmits the 

relevant traffic abnormality information and performance 
abnormality information to the device for reporting to the 
operator (step S23) . 

[0084] As explained above, according to the denial-of- 

25 service attack detecting system 1, traffic abnormalities 
and performance abnormalities are detected, and it is 
determined whether there is a relationship between these 
abnormalities, to thereby enable detection of only a 
traffic abnormality which is the cause of a performance 
30 abnormality- Therefore, improved detection precision of 
denial-of-service attacks allows detection of only a 
denial-of-service attack which needs to be dealt with by 
the operator. 



28 

[0085] The monitoring device, the performance measuring 
device, and the attack determining device according to the 
present embodiment implement their functions by causing 
each computer to load a program and execute it. More 
5 specifically, a program including a routine, which detects 
a traffic abnormality of packets sent to a communication 
device, is stored in a read only memory (ROM) etc. of the 
computer in the monitoring device. A program including a 
routine, which detects a performance abnormality of a 

10 communication device, is stored in ROM etc. of the computer 
in the performance measuring device. A program including a 
routine, which determines a relationship between traffic 
abnormality information and performance abnormality 
information, is stored in ROM etc. of the computer in the 

15 attack determining device. Each of the devices loads 

relevant one of the programs into a central processing unit 
(CPU) and executes it, and it is thereby possible to form 
the monitoring device, the performance measuring device, 
and the attack determining device according to the present 

20 invention. 

INDUSTRIAL APPLICABILITY 

[0086] As explained above, the denial-of-service attack 

detecting system and the denial-of-service attack detecting 
25 method according to the present invention are suitable for 
detection of the denial-of-service attacks on communication 
devices . 



